Op-Ed: Complying with Coast Guard’s final rule on cybersecurity

Andy Lee (left) and Jim Kearns (right)

By Jim Kearns and Andy Lee, Jones Walker LLP

On January 17, the U.S. Coast Guard released a final rule on cybersecurity in the U.S. marine transportation system. The rule establishes cybersecurity requirements for U.S.-flag vessels, facilities, and Outer Continental Shelf facilities that are regulated under the Maritime Transportation Security Act of 2002. These requirements will become effective on July 16 for the owners and operators of such vessels and facilities.

The core requirements for entities covered by the final rule are: (1) to designate a cybersecurity officer (CySO), (2) to develop and maintain cybersecurity plans and assessments, (3) to conduct cybersecurity training and exercises, and (4) to establish technical cybersecurity controls.

An organization’s compliance with the rule’s cybersecurity requirements begins with the designation of the CySO. This person is tasked with implementing and maintaining cybersecurity throughout the organization. The rule allows for the designation of alternate CySOs and permits one individual to serve multiple vessels or facilities, providing useful flexibility for operators.

Second, organizations must create and maintain detailed cybersecurity plans and separate incident response plans as outlined in the rule. These plans must be submitted to the Coast Guard for review and approval within 24 months of the rule’s effective date (by July 16, 2027) and must be renewed every five years. Regular cybersecurity assessments are required to ensure that the organization’s cybersecurity plan is being implemented.

The rule requires cybersecurity training for all personnel using an information technology (IT) or operational technology (OT) system, with two cybersecurity drills to be conducted annually. The rule specifies time limits within which training needs to be completed on particular topics and for certain personnel, particularly those with access to IT and OT systems. Regular penetration testing is required in conjunction with each renewal of the cybersecurity plan.

The required technical controls include several security measures, including:

• Multifactor authentication on password-protected IT and remotely accessible OT systems
• Device security measures according to the cybersecurity plan
• Lists of approved hardware, firmware, and software
• Data encryption
• Network segmentation and monitoring
• Supply chain security measures according to the cybersecurity plan

If an incident occurs that actually jeopardizes the integrity, confidentiality, or availability of information on an information system, or jeopardizes an information system itself, such an incident must be reported to the National Response Center staffed by the Coast Guard.

In the preamble to the rule, the Coast Guard notes that it will work with partner agencies to harmonize and align the reporting requirements of the rule with other cybersecurity regulations, to the extent practicable, including a final rule to be issued by the US Cybersecurity and Infrastructure Security Agency under the Cyber Incident Reporting for Critical Infrastructure Act of 2022.

There are several key takeaways for covered organizations covered. First, each such organization should begin preparation now. Given the scope of the required changes, the 24-month implementation period will pass quickly. Each organization should evaluate its current cybersecurity staffing and capabilities to decide how it will meet the requirement to have a designated CySO. Existing cybersecurity and other security measures should be reviewed to identify what additional measures are needed to meet the detailed technical requirements specified in the rule. Planning should begin for the training, drills, and other exercises that will be required for the organization’s personnel.

In Section VII of the rule’s preamble, the Coast Guard requests public comment on a potential delay of two to five years for the implementation periods for new requirements applicable to U.S.‑flag vessels, but the implementation period for incident reporting will begin immediately upon the effective date of the rule. After reviewing this section of the preamble, owners or operators of U.S.-flag vessels might wish to consider submitting a comment on such a delay in implementation.